NPM supply chain attack uses Ethereum blockchain

Nov 05, 2024

Checkmarx researchers have detected a unique supply chain attack within the NPM ecosystem that uses the Ethereum blockchain.

The malicious package, dubbed “jest-fet-mock,” targets developers with a multi-platform malware employing Ethereum smart contracts for command-and-control (C2) operations. This marks a convergence of blockchain technology with traditional attack vectors—a method not yet observed in NPM packages. 

Attack mechanics and distribution

The “jest-fet-mock” package, masquerading as a trusted JavaScript testing utility, was first noted in mid-October. It hides its true intent behind a carefully crafted façade by mimicking two legitimate packages: “fetch-mock-jest,” which garners around 200,000 downloads weekly, and “Jest-Fetch-Mock,” reaching approximately 1.3 million weekly downloads.

Utilising a typosquatting technique, the attackers misspelt “fetch” as “fet,” while preserving key elements “jest” and “mock,” to deceive developers into downloading it.

Upon installation, the package exploits NPM preinstall scripts to activate malicious code. This malware specifically targets the development infrastructures by executing info-stealing functions across Windows, Linux, and macOS environments, consolidating persistence through tailored system mechanisms.

All variants connect back to the attackers’ C2 server, maintaining consistent communication for further exploitation.

Ethereum blockchain command-and-control

A notable aspect of this supply chain attack is its utilisation of the Ethereum blockchain for C2 operations. The Ethereum smart contract, located at address “0xa1b40044EBc2794f207D45143Bd82a1B86156c6b”, employs its “getString” method to disseminate C2 server addresses.

By tapping into blockchain’s inherent immutability and decentralisation, the attackers have crafted a resilient infrastructure – tough to eliminate or intercept – thereby enhancing the persistence and adaptability of their malicious campaign.

Ripple effect and countermeasures

Upon analysis, Checkmarx researchers identified malware variants tailored for each operating system:

  • Windows: (SHA-256: df67a118cacf68ffe5610e8acddbe38db9fb702b473c941f4ea0320943ef32ba)
  • Linux: (SHA-256: 0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17)
  • macOS: (SHA-256: 3f4445eaf22cf236b5aeff5a5c24bf6dbc4c25dc926239b8732b351b09698653)

None of these variants has been identified as malicious by any existing security solutions on VirusTotal. This anonymity poses significant threats to development environments, where these utilities are widely trusted and integrated into CI/CD pipelines.

By breaching development and testing utilities, these attackers potentially seize control over crucial CI/CD and build systems, posing a severe risk to software supply chains. The campaign’s innovative use of blockchain for C2 operations signifies an evolution in supply chain attack strategies, rendering traditional detection and mitigation approaches less effective.

With additional malicious packages connected to this campaign already reported by Phylum and Socket, the threat continues to escalate.

This latest incident serves as a crucial warning for development teams to rigorously review package management practices, confirm the legitimacy of testing utilities, and implement robust security measures to safeguard their environments.

For those interested in the full list of packages identified as part of this campaign, they can be found here.

(Photo by Joshua Hoehne)

See also: EMERALDWHALE exploits vulnerable Git configuration files

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: blockchain, cyber security, cyberattack, cybersecurity, ethereum, hacking, linux, mac, npm, packages, security, typosquatting, windows